Fix #3984 - Fix broken check for drupal_views_user_enum

2014-10-10 10:23:20 -05:00 · 2014-10-10 10:23:20 -05:00 · 260aa8dc22
parent aefd15c185
commit 260aa8dc22
1 changed files with 13 additions and 19 deletions
--- a/modules/auxiliary/scanner/http/drupal_views_user_enum.rb
+++ b/modules/auxiliary/scanner/http/drupal_views_user_enum.rb
@ -35,11 +35,15 @@ class Metasploit3 < Msf::Auxiliary

    register_options(
      [
-        OptString.new('PATH', [true, "Drupal Path", "/"])
+        OptString.new('TARGETURI', [true, "Drupal Path", "/"])
      ], self.class)
  end

-  def check(base_uri)
+  def base_uri
+    @base_uri ||= "#{normalize_uri(target_uri.path)}?q=admin/views/ajax/autocomplete/user/"
+  end
+
+  def check_host(ip)
    res = send_request_cgi({
      'uri'     => base_uri,
      'method'  => 'GET',
@ -47,31 +51,21 @@ class Metasploit3 < Msf::Auxiliary
    }, 25)

    if not res
-      return false
+      return Exploit::CheckCode::Unknown
    elsif res and res.body =~ /\<title\>Access denied/
      # This probably means the Views Module actually isn't installed
-      print_error("#{rhost} - Access denied")
-      return false
+      vprint_error("#{rhost} - Access denied")
+      return Exploit::CheckCode::Safe
    elsif res and res.message != 'OK' or res.body != '[  ]'
-      return false
+      return Exploit::CheckCode::Safe
    else
-      return true
+      return Exploit::CheckCode::Appears
    end
  end

  def run_host(ip)
-    # Make sure the URIPATH begins with '/'
-    datastore['PATH'] = normalize_uri(datastore['PATH'])
-
-    # Make sure the URIPATH ends with /
-    if datastore['PATH'][-1,1] != '/'
-      datastore['PATH'] = datastore['PATH'] + '/'
-    end
-
-    enum_uri = datastore['PATH'] + "?q=admin/views/ajax/autocomplete/user/"
-
    # Check if remote host is available or appears vulnerable
-    if not check(enum_uri)
+    unless check_host(ip) == Exploit::CheckCode::Appears
      print_error("#{ip} does not appear to be vulnerable, will not continue")
      return
    end
@ -83,7 +77,7 @@ class Metasploit3 < Msf::Auxiliary
      vprint_status("Iterating on letter: #{l}")

      res = send_request_cgi({
-        'uri'     => enum_uri+l,
+        'uri'     => base_uri+l,
        'method'  => 'GET',
        'headers' => { 'Connection' => 'Close' }
      }, 25)